Order deny, allow
Deny from all
That is all you have to write to block access to windows with apache. No XML, nice simple... I can explain that to anyone in 1min and can write it in even less time. XML == Evil!
Before you all come back at me about how IIS can use NTFS to secure its files.. so can apache for windows and Apache for Linux if you decide to install ACL.